Date: Wed, 1 Sep 2010 15:46:57 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: Marc Delisle <Marc.Delisle@...epsherbrooke.qc.ca>, Michal Cihar <michal@...ar.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion) Please use CVE-2010-2958 Thanks. -- JB ----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote: > Hi Steve, vendors, > > on 2010-08-30 phpMyAdmin published PMASA-2010-6 addressing one > XSS: >  http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php > > Summary (from ): > XSS attack using debugging messages. > Description (from ): > It was possible to conduct a XSS attack using error messages in > PHP backtrace. > > Affected versions (from ): > For 3.x: versions before 3.3.6 are affected. > Branch 2.11.x is not affected by this > > Upstream commit: > > http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=133a77fac7d31a38703db2099a90c1b49de62e37 > > phpMyAdmin upstream seems to reference CVE-2010-3056 as CVE id to this > flaw. > > But CVE-2010-3056 was previously assigned to: >  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056 >  https://bugzilla.redhat.com/show_bug.cgi?id=625877 >  http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php > > which affected both (from ): > For 2.11.x: versions before 18.104.22.168 are affected. > For 3.x: versions before 22.214.171.124 are affected. > > so this is different issue and new CVE id should be allocated (due > different > affected versions). > > Could you please allocate one? > > Thanks && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Resposne Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ